Comments: Separation of Roles - an example

basically, a lot of this is long term standard countermeasures to insider fraud. i have some recollection of early 80s starting to really get into threat analysis and countermeasures for insider exploits.

this somewhat all became obfuscated with the internet and the attention being paid to outsider exploits .... even thru the whole internet era, the studies have continued to show that the majority of fraud is still related to insiders. one might even conjecture the people behind serious fraud help promote the attention paid to outsiders as misdirection.

of course the other is that a lot of the internet stuff is somewhat more likely to make the popular press since the general public has more awareness of internet as opposed to the long standing backroom business processes where the majority of financial activity actually occurs.

as implied, there may be some issue with internet stuff more likely to involve people who have little or no knowledge and exerpience with real business issues and history of the serious threats, vulnerabilities, and exploits.

recent article:

Organization Seen Ignoring Main Culprit in Information Security Breaches
http://www.sdcexec.com/article_arch.asp?article_id=8512

references to a few previous articles and/or studies
http://www.garlic.com/~lynn/aadsm12.htm#44 Identity Theft More Often an Inside Job
http://www.garlic.com/~lynn/aadsm17.htm#38 Study: ID theft usually an inside job
http://www.garlic.com/~lynn/aadsm18.htm#49 one more time now, Leading Cause of Data Security breaches Are Due to Insiders, Not Outsiders

of course, the above articles relate to (insider) breaches where the information may be turned around and used for identity and/or account theft. it doesn't talk about the other kinds of insider fraud like embezzlement or inflated purchase orders making payments to some relative.

so for some additional drift, a posting mentioning financial controls, payment protocols (and digital certificates)
http://www.garlic.com/~lynn/2006f.html#32 X.509 and ssh
http://www.garlic.com/~lynn/2006f.html#36 X.509 and ssh

the above references the trival scenario of corporate checks that had logo stamped on them that they weren't good for more than a certain value. what they then found was that the work around was to write a whole collection of such checks (for just under the limit).

One of the times this came up was in the mid-90s involving some PKI proponents suggesting that digital certificates could have similar limit statements in support of using PKI-based (offline) financial transactions emulating the (offline) check model. At about the same time, there was an article in the national news about a NYC public school official writing (one of these business checks with limit) 200 checks for $5000 each to funnel $1m to a front company as part of embezzelment.

The scenario that business had gone to was online transactions ... frequently implemented with a special business card (form of credit or debit card) that had backend business rules, not only about amount of individual purchases, but some implemented business rules about where the card could be used as well as what kind of purchases that the card could be used. It also had aggregated rules ... about max. money that could be spent per period (as countermeasure to embezzlement doing a large number of smaller individual transactions). Of course, there was also multi-party oversite/approval of monthly activity (but it gained not requiring detailed multi-party oversite/approval of each individual purchase) ... which obviously didn't happen in this particular example.

What some of the PKI promponents had difficulty coming to grips with was that the stale, static offline check model was being replaced with dynamic, realtime, online operation.

The stale, static offline credential, certificate, diploma, license, letters of credit, letters of introduction paradigm had served the world for centuries providing trusted information to relying parties (who otherwise didn't have any other means of accessing and/or validating the information.

The PKI digital certificate is an electronic analog of that stale, static offline paradigm. Many of the PKI proponents seem to have trouble coming to grips with modern infrastructures moving to online operations and away from the old-fashion stale, static offline method (in part because online, realtime operation can close a lot of short-comings and vulnerabilities implicit with offline).

Posted by Lynn Wheeler at April 16, 2006 12:39 PM

Doesn't "dynamic, realtime, online", without controls at least as stringent as for the offline transactions, allow fraud and embezzlement to be perpetrated all the more rapidly?

"Apparently authority" is a very good doctrine. It deals with what the principal has told the third party about the authority of the agent to bind the principal, and sometimes (as in the above-related case) about what the third party can reasonably infer by what the principal _hasn't_ told him. The other main means of holding a principal liable for the acts of his agent is "actual authority," where the principal in fact delegated authority to his agent. A third party often has no way of learning beforehand about this other than through apparent authority, so this doctrine is not as useful for protecting third parties from people acting under the color of authority.

A third means whereby a principal can be bound by his supposed agent is "estoppel," where the agent claimed authority, the third party's belief in that authority was reasonable (even though not derived from an act or omission of the principal), and the principle benefited (unjust enrichment) from the exercise of that authority.

This trio of actual, apparent, and estoppel authority is one of the basic "patterns of integrity" that recurs in agency law, partnership law, corporate law, and government activities -- basically, it recurs any time two or more people are acting legally like one person or one person is acting legally for another -- and I suspect I'll find good analogs of it in computer security or organizational controls once I switch back to thinking about that field.

Can you tell I'm studying for my corporate law finals? :-)

Posted by nick at April 17, 2006 11:29 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x562777150ca8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.